Re: redundant LDAP server with free-radius
got you, mate I was a kind of confused by authenticate { Auth-Type MS-CHAP { mschap } Looking at this makes things more clear. modules { mschap { authtype = MS-CHAP Still, Failover is a kind of inconsistent/incomplete without pointing this out (thought it is an indirect detail). Other parts of doc might well have a reference to that, but IMO it is worth referring to this on failover page, doc is supposed to help people getting answers ... People might never come to renaming module instances but for redundancy. Since it is Wiki, I can probably update it by adding ~200-300 bytes of text and in case you won't like it, you can always roll back. A. on 2/1/2007 4:55 PM Alan DeKok wrote: Alexei Monastyrnyi wrote: this works as expected, though it is not that obvious that Auth-Type name refers to module name, and not just names the method... It defines the method, but doesn't make the module set Auth-Type to that method. Or I might have missed that from the documentation. Anyway, fail-over section does not reflect this IMO. Not a note of authenticate sub-section at all... should it be updated? Modules having authenticate sections automatically have Auth-Type definitions created based on their name. This is normally the module name (i.e. LDAP), unless the module has an *instance* name, in which case it's the instance name. The LDAP module sets Auth-Type to it's *instance* name, not to LDAP. That appears to be the piece you're missing. This has nothing to do with failover. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant LDAP server with free-radius
Folks, sorry for bringing this up again. I am running FreeRADIUS 1.1.4 and OpenLDAP 2.3.32 on two Solaris10/x86 hosts. Non-redundant config works fine with FreeRADIUS and OpenLDAP on a single host. modules { ldap { } } authorize { ... ldap } authenticate { ... Auth-Type LDAP { ldap } } When I use a redundant config as per instruction in docs, I have the auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user in debugs and user is rejected. Please see config and debug output below. I guess I am mussing some fine detail here. Your help would be highly appreciated. modules { ldap ds-01 { } ldap ds-02 { } } authorize { ... redundant { ds-02 ds-01 } } authenticate { ... Auth-Type LDAP { redundant { ds-02 ds-01 } } } Debug output rad_recv: Access-Request packet from host 1.1.1.1:3283, id=29, length=47 User-Name = qwer User-Password = qwer Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = qwer, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for qwer radius_xlat: '((objectClass=posixAccount)(l=*)(uid=qwer))' radius_xlat: 'dc=my,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=my,dc=com, with filter ((objectClass=posixAccount)(l=*)(uid=qwer)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user alexeim authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ds-02 returns ok for request 0 modcall: leaving group redundant (returns ok) for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 TIA A. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
Thanks Alan. But I do define it when switching from singe server to redundant group, don't I? Auth-Type LDAP { ldap } to Auth-Type LDAP { redundant { ds-02 ds-01 } } Isn't that enough? A. Alexei Monastyrnyi wrote: / When I use a redundant config as per instruction in docs, I have the // auth: No authenticate method (Auth-Type) configuration found for the // request: Rejecting the user in debugs and user is rejected. Please see // config and debug output below. I guess I am mussing some fine detail // here. Your help would be highly appreciated. / The modules are named ds-01 and ds-02, not LDAP. In this case, you will have to set Auth-Type to LDAP by hand. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant LDAP server with free-radius
no arguing here, just clearing up things... :-) stay cool this works as expected, though it is not that obvious that Auth-Type name refers to module name, and not just names the method... Or I might have missed that from the documentation. Anyway, fail-over section does not reflect this IMO. Not a note of authenticate sub-section at all... should it be updated? http://wiki.freeradius.org/Fail-over authorize { ... redundant { ds-02 ds-01 } } authenticate { ... Auth-Type ds-01 { ds-01 } Auth-Type ds-02 { ds-02 } } on 2/1/2007 4:04 PM Alan DeKok wrote: Alexei Monastyrnyi wrote: But I do define it when switching from singe server to redundant group, don't I? Yes. Isn't that enough? What did my previous response say? You can argue with me, or you can try what I suggested, and verify for yourself that it works. As a hint: when the LDAP module sets Auth-Type, it sets the value to the name of the module... which in your case is ds-01, not LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupmembership_filter for LDAP module [sec: unclas]
Thanks for your advice! Something is still missing Here is what I have in LDAP section of radiusd.conf basedn = dc=mydomain,dc=com filter = ((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{U ser-Name}})) groupmembership_filter = ((objectClass=posixGroup)(memberUid=%{Stri pped-User-Name:-%{User-Name}})) groupname_attribute = cn And in users DEFAULT Auth-Type = LDAP DEFAULT LDAP-Group == vpnusers Service-Type = Administrative-Use radiusd -X says when reading LDAP section ... ldap: basedn = dc=mydomain,dc=com ldap: filter = ((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = (null) ldap: access_attr = (null) ldap: groupname_attribute = cn ldap: groupmembership_filter = ((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = yes ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group ... But it says nothing about any search for vpnusers group during login, which is still successful for users outside the group A. on 8/22/2006 9:47 AM Ranner, Frank MR wrote: -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Alexei Monastyrnyi Sent: Tuesday, 22 August 2006 07:12 To: FreeRadius users mailing list Subject: groupmembership_filter for LDAP module Hi List. I am trying to enable group filter to allow only certain LDAP users to be able to login to my VPN hub. I run FreeRADIUS 1.0.2 on SPARC Solaris 9 All users are in group cn=vpnusers,ou=group,dc=mydomain,dc=com listed as memberUids In radiusd.conf I have the following filter = ((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) groupmembership_filter = (((cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Nam e:-%{User-Name}})) groupmembership_attribute = vpnusers It doesn't seem to work, no sign of searching for vpnusers in LDAP server logs and users that are not in this group are still able to log in. I may be missing something... Hints of where to look would be highly appreciated. Cheers, A. Reply: 1. You need to have an LDAP-Group check item in users: DEFAULT LDAP-Group == vpnusers Service-Type = Administrative-User 2. You need groupname_attribute. This is ANDed to the filter to provide (below). groupname_attribute = cn 3. Your filter is overcomplicated, all you need is this: ((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}} )) The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and 2. That's it. As long as the other stuff is right like the binddn, the base dn this should at least generate ldap activity in the radiusd -X output. Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groupmembership_filter for LDAP module
Hi List. I am trying to enable group filter to allow only certain LDAP users to be able to login to my VPN hub. I run FreeRADIUS 1.0.2 on SPARC Solaris 9 All users are in group cn=vpnusers,ou=group,dc=mydomain,dc=com listed as memberUids In radiusd.conf I have the following filter = ((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) groupmembership_filter = (((cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Name:-%{User-Name}})) groupmembership_attribute = vpnusers It doesn't seem to work, no sign of searching for vpnusers in LDAP server logs and users that are not in this group are still able to log in. I may be missing something... Hints of where to look would be highly appreciated. Cheers, A. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
You can try to log passwords sending to FR by NAS and snoop passwords sending by FR to LDAP, + switch on logging on LDAP and check why BIND operation between RF and LDAP fails. The bottom line here is that the password with spec chars is the same all the way down to LDAP server. on 04/03/2006 22:19 Natalia Escalera wrote: Hello, What is needed is that Freeradius accepts passwors even if special charaters are part of them. This is what is happening: pass$word - FR - LDAP - FR (Answer: wrong password) Any ideas of how to solve it? Thank you, Natalia. On 3/3/06, Alexei Monastyrnyi [EMAIL PROTECTED] wrote: Hey. Does one need to handle it in any special way? I have deployment like this, where special chars work as good as normal ones. Cisco VPN clients - Cisco PIX - FreeRADIUS - OpenLDAP. A. on 03/03/2006 00:28 Natalia Escalera wrote: Hello all, Do somebody know how to handle passwords having special characters in between (e.g. $ ) when doing freeradius-ldap authentication? Thank you, Natalia. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hey. Does one need to handle it in any special way? I have deployment like this, where special chars work as good as normal ones. Cisco VPN clients - Cisco PIX - FreeRADIUS - OpenLDAP. A. on 03/03/2006 00:28 Natalia Escalera wrote: Hello all, Do somebody know how to handle passwords having special characters in between (e.g. $ ) when doing freeradius-ldap authentication? Thank you, Natalia. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_tls.so is missing
Hi List! This might be off-topic but I couldn't find any solution so far. I am running FreeRADIUS 1.1.0 on Solaris 9 (SPARC) and cannot get it configured with PEAP support. Both FreeRADIUS and OpenSSL 0.9.8 are built from sources with no errors or warnings. When I start radiusd with PEAP section in config file, it gives me segmentation fault. truss shows that radiusd tries to open files rlm_eap_tls.so etc. Those files I cannot find among binaries after installation. Does someone have a clue what is going on here? Cheers, A. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + MPPE for PPTP VPN clients
Hi List. I have a Q about MS-CHAP and MPPE configuration for FreeRADIUS. OS and software versions Servers OS Solaris 9 SPARC FreeRADIUS 1.0.2 OpenLDAP 2.2.24 SAMBA 3.0.11 Network gateways Cisco PIX 506, IOS 6.3(4) PPTP VPN Clients Windows 2K/XP, MAC OSX. The RADIUS server we're talking about is a secondary LDAP server and SAMBA BDC as well. I'd like to use this FreeRADIUS as a username/password backend for PPTP VPN clients. VPN hub in my case is Cisco PIX device, which supports AAA RADIUS for PPTP VPDN groups. PPTP VPN against Cisco PIX works perfectly well with local authentication, i.e when usernames/passwords are configured locally on PIX. The RADIUS is already configured with OpenLDAP as a backend, authenticating against userPassword attribute. This part works OK. The OpenLDAP server is also a backend for my SAMBA domain controller, the same domain I'm trying to use for user logins via PPTP VPN. All users have both POSIX and SAMBA attiributes in LDAP. The following chain works. Cisco VPN clients --- NAS --- RADIUS --- LDAP This one doesn't PPTP VPN clients --- NAS --- RADIUS --- SAMBA --- LDAP I have configured RADIUS server as following (omitted some lines here). Modules section mschap { authtype = MS-CHAP use_mppe = yes #require_encryption = yes #require_strong = yes #with_ntdomain_hack = no #ntlm_auth = /usr/local/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } ldap { server = localhost basedn = ou=People,dc=orcsoftware,dc=com filter = ((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) start_tls = no password_attribute = userPassword } authorize { preprocess auth_log reply_log mschap suffix ldap } authenticate { Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } } For PPTP logins it doesn't work for user MYDOMAIN\username and the server says (omiting the beginning of debug) Fri Jun 3 12:50:37 2005 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 0 Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: No User-Password configured. Cannot create LM-Password. Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: No User-Password configured. Cannot create NT-Password. Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: Told to do MS-CHAPv1 with NT-Password Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Fri Jun 3 12:50:37 2005 : Debug: rlm_mschap: MS-CHAP-Response is incorrect. My Q is: should I use ntlm_auth program for getting NTLM passwords? If yes, should my RADIUS server be join a SAMBA domain which it is trying to use? Actually I'm a bit confused here and highlighting how RADIUS obtains or generates MPPE keys might be heplful. Any hints or useful URLs would be highly appreciated. Cheers, A. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring maximum number of password attempts
Hi. From FreeRADIUS debug I can conclude that if first does search against LDAP with given username and base DN and then, if the search is successful, binds with given credentials. Both posixAccount and shadowAccount in LDAP does not have any attributes to count bad passwords and block users based no that. You can lock user with shadowAccount by butting LK in the beginning of his userPassword attribute value IIRC. But counting 3 or more bad passwords in a raw is a kind of extended logic here. There is an option for this in sambaSamAccount object class, but people complain that it is not working as promised. Just my 2 cents. A. [EMAIL PROTECTED] wrote: Hi all, I am using freeradius to talk to an OpenLDAP server to validate passwords. This all works fine and dandy. If the user enters the right password they get in, if they enter the wrong password the don't. However, I can't find a way of locking out the user if they enter an invalid password three times in a row. I've trolled through the LDAP stuff but can't find anything in there. Is there a way I can create a password policy to do this? |\/|artin -- Senior Network Administrator, NEC (Europe) Ltd. Acton extension: 3379 NEC*Net: 800-44-21-3379 Direct: +44 20 8752 3379 Fax: +44 20 8752 3389 Mobile: +44 7721 869 356 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius documentation
Hi. There is a bit of info here, which is pretty much in correlation with O'Reilly book RADIUS. http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html The book helped me a lot with configuring simple auth via RADIUS against LDAP userPassword attribute. I'm trying now to find now something for NTLM passwords and MPPE keys to authenticate PPTP VPN clients. Pls drop me a line if you meet it somewhere. A. James Flockton wrote: All, Just wondering if anyone can point me towards to some good documentation for FreeRadius please? I'm wanting to build a box running Radius and using OpenLDAP for authentication detail i.e. user name, IP etc. Many thanks James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter
Hi. Filter here is a usual LDAP filter, you can find some good examples in OpenLDAP documentation or man pages. Or you can check here. http://www.zytrax.com/books/ldap/apa/search.html The complete RFC for this is # 2254. A. José Berenguer wrote: Hello, Anyone can tell me where can I find some instructions about how to configure the filter= option in the module ldap subsection of radiusd.conf? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html